TL;DR: If your company collects personal data, you’re probably on the hook for DSRs.
What is a DSR? (Data Subject Request)
A Data Subject Request (DSR) is a formal request made by an individual—your user, customer, or even just someone in your dataset—to exercise their rights under data privacy laws. You’ll often hear the term DSAR (Data Subject Access Request) used interchangeably, but technically:
DSAR refers specifically to a user’s right to access their personal data.
DSR is a broader umbrella term that includes:
Right to deletion (aka “right to be forgotten”)
Right to correction
Right to opt out of data sales or profiling
Right to data portability
Right to know how data is collected, shared, and used
Why You Need to Care: The Legal Landscape
If your business operates in or serves people in Europe or the United States, chances are you're legally obligated to honor DSRs. Here’s a breakdown:
Covered Jurisdictions:
GDPR (EU/UK): Applies to any company collecting or processing data of EU/UK residents.
California (CCPA/CPRA): Covers businesses with over $25M in revenue, or those collecting data on 100,000+ California residents.
Other U.S. State Laws: Over 20 U.S. states have privacy laws now or coming online soon (e.g., Colorado, Connecticut, Virginia, Utah).
Data Broker Laws: States like California, Texas, Oregon, and Vermont require data brokers to register and comply with expanded deletion request obligations.
Core User Rights Under These Laws:
📄 Access: What data do you have about me?
🧽 Deletion: Remove my data.
🛠 Correction: Fix inaccurate information.
⛔ Opt-out: Stop selling or sharing my data.
🔐 Restriction: Limit how my data is used.
📤 Portability: Give me a copy of my data.
How DSRs Must Be Handled (And Where Most Teams Get It Wrong)
Intake Requirements:
Most privacy laws require that companies:
Offer at least two methods for submitting a DSR (usually a web form and an email).
Clearly publish these methods in your privacy policy.
Respond to requests within a specific timeframe—usually:
30–45 days from receipt
With a possible extension of another 30–45 days, if justified
Verification Is Tricky (and Risky)
Verifying identity is essential—but don’t asking for too much verification is a risk:
✅ A good practice: Email verification links
❌ Too burdensome: Asking for a government-issued ID, unless strictly necessary
Example: Charles Schwab was fined $275,000 by the California Privacy Protection Agency (CPPA) for requiring ID to process simple requests, which was ruled obstructive.
Gotchas to Watch For:
⚠ Accidental data leaks: If you fulfill a portability request without confirming identity, you might expose private data to the wrong person.
🧾 Authorized agents: Some laws allow others (e.g. lawyers, data removal services) to submit requests on the individual’s behalf—but that doesn't mean you can skip verification.
🔁 Repetitive requests: You may receive multiple requests from the same user across different platforms or systems. Without good tooling, tracking this gets messy.
What Happens If You Ignore or Mishandle a DSR?
Non-compliance can get expensive—fast.
In California, fines can reach $200/day per request you fail to fulfill.
The EU’s GDPR sets maximum penalties at €20 million or 4% of annual global revenue, whichever is greater.
Failing to verify identity correctly can also result in data breaches, leading to even larger regulatory exposure.
And if you're a registered data broker, you're likely to get flooded with requests—potentially thousands per day.
Even If You’re Not Required to - You Should Probably Accept DSRs
Here's the twist: Even companies not (yet) covered by these laws should prepare for DSRs. Why?
🌱 Future-proofing: The privacy landscape is evolving rapidly. Being ready now saves time (and face) later.
💼 Customer trust: A transparent, respectful data practice builds brand equity.
🔁 Operational readiness: The infrastructure you build now can scale as you grow—or as laws change.
Managing DSRs at Scale: Why You’ll Need Software (Sooner Than You Think)
Manually handling requests in Gmail and Google Sheets might work… until it doesn’t.
As volumes grow or complexity increases (think: multi-region laws, sensitive data, or registered broker status), it becomes critical to automate.
Key Features to Look for in DSR Management Tools:
✅ Request intake: via web forms, email, or APIs
🗂 Request categorization: type, jurisdiction, deadline
⏱ Deadline tracking: automatic SLA timers
🔁 Automated fulfillment: data deletion, exports, or opt-outs
📜 Audit logs: full transparency in case of regulator review
Top Tools in the Market:
Each has strengths in automation, data discovery, and compliance workflows. For high-volume orgs (e.g. adtech, fintech, SaaS at scale), automation isn’t optional—it’s a compliance control.
How to Get Compliant (and Stay That Way)
Step-by-Step:
Assess your exposure: What laws apply to your company? Are you a registered broker?
Map your data: Know what you collect, where it lives, and how it flows.
Publish a clear privacy policy: Include at least two submission methods.
Set up intake: A web form + privacy@ inbox is a strong baseline.
Verify identities—wisely: Don't block users, but do protect data.
Use software: If you're getting more than 10 requests a month, it's time.
Ready to Make DSR Compliance Easy?
If you're managing DSRs manually—or just wondering how exposed you are—we can help you:
Assess your current process
Recommend tools that fit your data stack
Automate compliance without slowing your team down
👉 Set up Automation for your Data Subject Requests
